From bfba665248edb40b574e2f39eff8771309afd1e5 Mon Sep 17 00:00:00 2001 From: Jochen Issing Date: Sat, 4 Apr 2026 20:09:29 +0200 Subject: [PATCH 1/3] Replace postfix + postfix_milters with unified container Migrate from two-container setup (postfix 2026-02-16.1 + postfix-milters 2023-01-22.1) to single unified container (postfix_for_postfixadmin 2026-04-04.1) that includes all milter services. Changes: - Remove postfix_milters service (now built into postfix container) - Remove postfix_staging service (validation complete) - Update postfix image to 2026-04-04.1 - Add milter env vars to postfix (POSTGREY/SPAMASS/DKIM/DMARC socket paths, DKIM_DOMAINS, DKIM_SELECTOR, DKIM_KEY_PATH, MAIL_HOSTNAME) - Add opendkim_key secret to postfix service - Add spamass_vhome volume to postfix service - Remove depends_on postfix_milters - Clean up staging volume from compose and Ansible tasks Deploy with: docker compose up -d --remove-orphans The --remove-orphans flag will stop the old postfix_milters and postfix_staging containers. Co-Authored-By: Claude Opus 4.6 --- roles/compose/files/docker-compose.yaml | 81 +++---------------------- roles/compose/tasks/main.yaml | 1 - 2 files changed, 9 insertions(+), 73 deletions(-) diff --git a/roles/compose/files/docker-compose.yaml b/roles/compose/files/docker-compose.yaml index 5a3e4d5..9b56b97 100644 --- a/roles/compose/files/docker-compose.yaml +++ b/roles/compose/files/docker-compose.yaml @@ -160,31 +160,13 @@ services: ] restart: unless-stopped - # Postfix milters (DKIM, DMARC) - postfix_milters: - image: nesono/postfix-milters:2023-01-22.1 - environment: - SPAMASS_SOCKET_PATH: "private/spamass" - DKIM_SOCKET_PATH: "private/dkim" - DKIM_DOMAINS: "nesono.com,issing.link,noerpel.net,frankfriedbert.de,byorkesterbaritone.com" - DKIM_SELECTOR: "2023-01-04" - DKIM_KEY_PATH: "/run/secrets/opendkim_key" - DMARC_SOCKET_PATH: "private/dmarc" - MAIL_HOSTNAME: "smtp.nesono.com" - volumes: - - mail:/var/mail - - mail_spool:/var/spool/postfix - - spamass_vhome:/vhome/users - secrets: - - opendkim_key - networks: - - mail_internal - restart: unless-stopped - - # Staging: unified postfix + milters (for validation before cutover) - postfix_staging: + # Postfix SMTP server (unified with milters since 2026-04-04) + postfix: + depends_on: + - mysql_mail + - dovecot # SASL authentication image: nesono/postfix_for_postfixadmin:2026-04-04.1 - container_name: postfix_staging + container_name: postfix environment: MYHOSTNAME: "smtp.nesono.com" MYNETWORKS: "5.9.123.102" @@ -198,9 +180,10 @@ services: DOVECOT_LMTP_PATH: "private/dovecot-lmtp" SPF_ENABLE: "1" SMTPS_ENABLE: "1" + CERT_NAME: "mail.nesono.com" AUTHORIZED_SMTPD_XCLIENT_HOSTS: "172.20.0.1" SPAMHAUS_DISABLE: "1" - # Milter env vars (merged from postfix_milters) + # Milter env vars (previously on postfix_milters container) POSTGREY_SOCKET_PATH: "private/postgrey" SPAMASS_SOCKET_PATH: "private/spamass" DKIM_SOCKET_PATH: "private/dkim" @@ -213,47 +196,6 @@ services: - mysql_mail_password - mysql_mail_user - opendkim_key - ports: - - "127.0.0.1:2525:25" # localhost only, for testing - volumes: - - mail:/var/mail - - mail_spool_staging:/var/spool/postfix - - spamass_vhome:/vhome/users - - /svc/volumes/acme/certs/mail.nesono.com:/etc/postfix/certs:ro - networks: - - mail_external - - mail_internal - restart: "no" - - # Postfix SMTP server - postfix: - depends_on: - - mysql_mail - - dovecot # SASL authentication - - postfix_milters - image: nesono/postfix_for_postfixadmin:2026-02-16.1 - container_name: postfix - environment: - MYHOSTNAME: "smtp.nesono.com" - MYNETWORKS: "5.9.123.102" - SQL_USER_FILE: /run/secrets/mysql_mail_user - SQL_PASSWORD_FILE: /run/secrets/mysql_mail_password - SQL_HOST: mysql_mail - SQL_DB_NAME: mailserver - TLS_CERT: /etc/postfix/certs/fullchain.pem - TLS_KEY: /etc/postfix/certs/key.pem - DOVECOT_SASL_SOCKET_PATH: "private/auth" - DOVECOT_LMTP_PATH: "private/dovecot-lmtp" - DKIM_SOCKET_PATH: "private/dkim" - SPF_ENABLE: "1" - DMARC_SOCKET_PATH: "private/dmarc" - SMTPS_ENABLE: "1" - CERT_NAME: "mail.nesono.com" - AUTHORIZED_SMTPD_XCLIENT_HOSTS: "172.20.0.1" - SPAMHAUS_DISABLE: "1" - secrets: - - mysql_mail_password - - mysql_mail_user ports: - "0.0.0.0:25:25" # SMTP (bind to all interfaces) - "0.0.0.0:465:465" # SMTPS (bind to all interfaces) @@ -261,6 +203,7 @@ services: volumes: - mail:/var/mail - mail_spool:/var/spool/postfix + - spamass_vhome:/vhome/users - /svc/volumes/acme/certs/mail.nesono.com:/etc/postfix/certs:ro - /dev/log:/dev/log networks: @@ -893,12 +836,6 @@ volumes: o: bind type: none device: /svc/volumes/mail_spool - mail_spool_staging: - driver: local - driver_opts: - o: bind - type: none - device: /svc/volumes/mail_spool_staging mysql_mail_data: driver: local driver_opts: diff --git a/roles/compose/tasks/main.yaml b/roles/compose/tasks/main.yaml index ce2d0a5..d9920d2 100644 --- a/roles/compose/tasks/main.yaml +++ b/roles/compose/tasks/main.yaml @@ -96,7 +96,6 @@ mode: "0755" loop: - mail_spool - - mail_spool_staging tags: [provision] - name: Create volume for borgmatic keys (mode 0600) From 6484d52fcc78280a76f7ddc509cf961bca3d1ff4 Mon Sep 17 00:00:00 2001 From: Jochen Issing Date: Sun, 5 Apr 2026 19:25:23 +0200 Subject: [PATCH 2/3] Update postfix_for_postfixadmin container --- roles/compose/files/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/compose/files/docker-compose.yaml b/roles/compose/files/docker-compose.yaml index 9b56b97..e9e41ad 100644 --- a/roles/compose/files/docker-compose.yaml +++ b/roles/compose/files/docker-compose.yaml @@ -165,7 +165,7 @@ services: depends_on: - mysql_mail - dovecot # SASL authentication - image: nesono/postfix_for_postfixadmin:2026-04-04.1 + image: nesono/postfix_for_postfixadmin:2026-04-06 container_name: postfix environment: MYHOSTNAME: "smtp.nesono.com" From 61c52e03f4ae50f6aebc53b688d7b41ee5e69fcd Mon Sep 17 00:00:00 2001 From: Jochen Issing Date: Mon, 6 Apr 2026 11:49:22 +0200 Subject: [PATCH 3/3] Patched postfix for more permission issues --- roles/compose/files/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/compose/files/docker-compose.yaml b/roles/compose/files/docker-compose.yaml index e9e41ad..59cc83e 100644 --- a/roles/compose/files/docker-compose.yaml +++ b/roles/compose/files/docker-compose.yaml @@ -165,7 +165,7 @@ services: depends_on: - mysql_mail - dovecot # SASL authentication - image: nesono/postfix_for_postfixadmin:2026-04-06 + image: nesono/postfix_for_postfixadmin:2026-04-06.1 container_name: postfix environment: MYHOSTNAME: "smtp.nesono.com"